0

I'm somewhat knowledgeable in the concept of Public Key Pinning (HPKP) and I see a potential attack where a server admin could pin a particular cert and thus demanding user's browsers to only honour that particular certificate.

However, if the admin wanted sabotage a company / website and several months before they left pinned a certificate for the max duration, and then change the cert on their last day, changed the cert, many users would then have the wrong cert pinned, many may not know how to fix it, and may not contact the company causing a business disruption.

My question is, how does a browser handle the pinning? Does clearing the cache remove the pin? What error does the user see on the screen? Is is simply a warning similar to the "self-signed cert" warning?

I'm Root James
  • 131
  • 7
  • Does this answer your question? [HPKP-based persistent denial-of-service attack on web sites](https://security.stackexchange.com/questions/93191/hpkp-based-persistent-denial-of-service-attack-on-web-sites), [Did google chrome kill public key pinning](https://security.stackexchange.com/questions/213410/did-google-chrome-kill-public-key-pinning). In short: HPKP is dead for some time know for exactly this kind of problems. – Steffen Ullrich Jun 23 '21 at 04:09

1 Answers1

1

My question is, how does a browser handle the pinning?

Simply: they don't support HPKP any longer for exactly this kind of problems. See Compatibility Table for this feature.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424